Django

Code

Ticket #3304 (new)

Opened 3 years ago

Last modified 2 days ago

[patch] Support "httponly"-attribute in session cookie.

Reported by: arvin Assigned to: nobody
Milestone: Component: Contrib apps
Version: SVN Keywords: session security
Cc: sam@robots.org.uk, jedie Triage Stage: Someday/Maybe
Has patch: 1 Needs documentation: 0
Needs tests: 1 Patch needs improvement: 0

Description

The cookie used for the session id should get the "httponly"-attribute to mitigate XSS. See http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp.

Attachments

python.diff (1.1 kB) - added by arvin on 01/16/07 18:20:27.
Patch for python
django.diff (2.3 kB) - added by arvin on 01/16/07 18:21:05.
Patch for django
httponly.patch (3.8 kB) - added by cephelo@gmail.com on 03/24/07 21:56:24.
patch for supporting HttpOnly? in cookies/session
httponly_docs.patch (2.6 kB) - added by cephelo@gmail.com on 03/24/07 21:56:51.
HttpOnly? cookie docs
django_p26_patch.diff (2.5 kB) - added by rodolfo on 06/02/09 07:43:42.
patch to add "httponly" with Python 2.6 (with 2.5 doesn't work, but doesn't show error). Docs are the same attached by cephelo.
django_httponly_patch.diff (5.4 kB) - added by rodolfo on 09/17/09 08:59:06.

Change History

01/14/07 20:42:08 changed by Simon Willison

I've always wondered if there's a downside to doing this - it seems like a great idea, but you rarely see sites actually doing it. It should definitely be possible to do this from Django, but I'd like confirmation that it doesn't break things for some browsers / proxies / what have you before recommending it be turned on by default. As far as I can tell it breaks the cookie spec (if such a thing exists).

01/16/07 18:19:24 changed by arvin

You are right that only few site use it, e.g. time.com. Maybe because most tools don't support it yet. PHP has it only since 5.2.0, Python doesn't have it so far.

The cookie spec is here:
http://wp.netscape.com/newsref/std/cookie_spec.html
http://www.faqs.org/rfcs/rfc2109.html

Firefox will likely have support in the far future:
https://bugzilla.mozilla.org/show_bug.cgi?id=178993

I'll attach two patches, one for python and one for django. With those it works for me with the development server. Since I'm new to django I might miss something.

01/16/07 18:20:27 changed by arvin

  • attachment python.diff added.

Patch for python

01/16/07 18:21:05 changed by arvin

  • attachment django.diff added.

Patch for django

01/16/07 18:30:21 changed by arvin

  • summary changed from Support "httponly"-attribute in session cookie. to [patch] Support "httponly"-attribute in session cookie..

Of course enabling SESSION_COOKIE_HTTPONLY without the python patch breaks the system. If the patches look good to you I will send the python patch to the project.

01/17/07 16:12:17 changed by

  • milestone deleted.

Milestone Version 1.0 deleted

(follow-up: ↓ 7 ) 01/18/07 00:47:39 changed by mir@noris.de

  • needs_better_patch set to 1.
  • stage changed from Unreviewed to Design decision needed.
  • needs_tests set to 1.
  • needs_docs set to 1.

Hmm, we probably can't use a patch that requires a patched python. Any different solution?

Also, could you point me to where the RFC is talking about 'httponly'? I couldn't find it at all. According to the specs from the Microsoft site, it makes the cookie unavailable to script languages.

01/18/07 03:54:39 changed by ubernostrum

It's worth noting that IE is the only browser likely to support this in the foreseeable future; the bug for it at Mozilla is still marked as NEW nearly four years after opening, and no-one seems to know what other vendors will do.

(in reply to: ↑ 5 ) 01/18/07 06:46:40 changed by arvin

Replying to mir@noris.de:

Hmm, we probably can't use a patch that requires a patched python. Any different solution?

Surely Python itself has to be extended. In Django we can check sys.hexversion and write that the feature only works with e.g. python 2.6 or higher.

Also, could you point me to where the RFC is talking about 'httponly'? I couldn't find it at all. According to the specs from the Microsoft site, it makes the cookie unavailable to script languages.

The RFC doesn't talk about 'httponly'. Microsoft introduced it later on.

The attribute makes the cookie unavailable to scripts in the browser, e.g. Javascript injected through XSS.

03/24/07 21:56:24 changed by cephelo@gmail.com

  • attachment httponly.patch added.

patch for supporting HttpOnly? in cookies/session

03/24/07 21:56:51 changed by cephelo@gmail.com

  • attachment httponly_docs.patch added.

HttpOnly? cookie docs

03/24/07 21:57:54 changed by cephelo@gmail.com

I've attached two new patches. The first is a patch to the Django sources that wraps the Python Cookie.py objects with very minimal wrappers. They merely intercept the HttpOnly? flag and work with it, the rest is handled as before with Cookie/Morsel and SimpleCookie?. It provides a SESSION_HTTP_ONLY setting True/False/None. It also provides the hook in HttpResponse.set_cookie(..., httponly=True). The second setting updates the docs/.

Firefox 3.0 will have it, it's working in 3.0a3, as I just tested my patch with. Also works fine in IE7.

Mozilla Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=178993

09/06/07 09:05:23 changed by anonymous

Opera 9.50a1 also supports HttpOnly?: http://snapshot.opera.com/windows/w950a1.html.

11/08/07 09:18:39 changed by anonymous

  • cc set to sam@robots.org.uk.

12/01/07 08:13:11 changed by jacob

  • stage changed from Design decision needed to Someday/Maybe.

Hacking around the Python Cookie objects just gives off that "code smell" to me, and I'm reluctant to check in smelly code to support a non-standard addition to HTTP.

Still, added security is always a good thing, so I'm pretty conflicted about this one. For now I'm going to mark this "somday/maybe" and move on, but a better patch would help move this back towards reality.

06/22/08 09:34:13 changed by mrts

  • milestone set to post-1.0.

This looks not to be in scope for 1.0.

08/28/08 15:35:23 changed by julianb

http://www.codinghorror.com/blog/archives/001167.html

09/18/08 15:39:09 changed by mattrussell

Just to note the Python 2.6rc1 adds support for httplonly in Cookie.Morsel

02/25/09 13:51:44 changed by

  • milestone deleted.

Milestone post-1.0 deleted

06/02/09 07:43:42 changed by rodolfo

  • attachment django_p26_patch.diff added.

patch to add "httponly" with Python 2.6 (with 2.5 doesn't work, but doesn't show error). Docs are the same attached by cephelo.

07/28/09 11:29:32 changed by cyounkins

For more security information and browser support table: http://www.owasp.org/index.php/HTTPOnly

Also, did I just see a BasicAuth? dialog for Trac? Whew, I sure hope not...

09/17/09 08:59:06 changed by rodolfo

  • attachment django_httponly_patch.diff added.

09/17/09 09:14:55 changed by rodolfo

  • keywords set to session security.
  • needs_better_patch deleted.
  • component changed from Core framework to Contrib apps.
  • needs_docs deleted.

I re-updated a patch, now with docs. This patch works on older python versions (2.3-2.5) and a python's patch isn't needed.

This is a feature to "contrib" (sessions are on contrib), not to "core", then don't have problems with http://docs.djangoproject.com/en/dev/faq/install/#do-i-lose-anything-by-using-python-2-3-versus-newer-python-versions-such-as-python-2-5

03/17/10 10:55:05 changed by anonymous

The Firefox bug has been fixed, so it now supports HTTP-only cookies.

03/18/10 02:48:07 changed by jedie

  • cc changed from sam@robots.org.uk to sam@robots.org.uk, jedie.

Add/Change #3304 ([patch] Support "httponly"-attribute in session cookie.)




Change Properties
Action